Spectroscopy of traceroute delays

Andre Broido

Young Hyun

kc claffy

CAIDA, San Diego Supercomputer Center, University of California San Diego

[NOTE: This is an updated version of the paper published in Proceedings
of PAM 2005. The hardcopy version published by Springer includes the deprecated version, while the electronic
proceedings include this updated version. The updated paper correctly accounts for
the specific timestamp behavior, previously unknown to the authors,
of the particular version of the firmware used in the Dag GE card of our
experiments.]

We analyze delays of traceroute probes, i.e. packets that elicit ICMP
TimeExceeded messages, for a full range of probe sizes up to 9000 bytes as observed
on unloaded high-end routers. Our ultimate motivation is to use traceroute
RTTs for Internet mapping of router and PoP (ISP point-of-presence) level nodes,
including potentially gleaning information on equipment models, link technologies,
capacities, latencies, and spatial positions. To our knowledge it is the first
study to examine in a reliable testbed setting the detailed statistics of ICMP response
generation.

We find that two fundamental assumptions about ICMP
may not hold in some cases in modern routers, namely that
ICMP delays are a linear function of packet size
and that ICMP generation rate is equal to the capacity
of the interface on which probes are received.
The primary causes of these violations appear to be
internal segmentation of packets into cells
and limiting of ICMP
packet rates and bit rates inside a router.
Our results suggest that the linear
model of packet delay as a function of packet size merits
revisiting for certain router models and time resolutions.
Our findings also suggest possibilities of
developing new techniques for bandwidth estimation and
router fingerprinting.